Zephyr API Documentation  3.7.99
A Scalable Open Source RTOS
Loading...
Searching...
No Matches
net_pkt_filter.h
Go to the documentation of this file.
1
8/*
9 * Copyright (c) 2021 BayLibre SAS
10 *
11 * SPDX-License-Identifier: Apache-2.0
12 */
13
14#ifndef ZEPHYR_INCLUDE_NET_PKT_FILTER_H_
15#define ZEPHYR_INCLUDE_NET_PKT_FILTER_H_
16
17#include <limits.h>
18#include <stdbool.h>
19#include <zephyr/sys/slist.h>
20#include <zephyr/net/net_core.h>
21#include <zephyr/net/ethernet.h>
22
23#ifdef __cplusplus
24extern "C" {
25#endif
26
36struct npf_test;
37
38typedef bool (npf_test_fn_t)(struct npf_test *test, struct net_pkt *pkt);
39
43struct npf_test {
44 npf_test_fn_t *fn;
45};
46
48struct npf_rule {
49 sys_snode_t node;
50 enum net_verdict result;
51 uint32_t nb_tests;
52 struct npf_test *tests[];
53};
54
56extern struct npf_rule npf_default_ok;
58extern struct npf_rule npf_default_drop;
59
61struct npf_rule_list {
62 sys_slist_t rule_head;
63 struct k_spinlock lock;
64};
65
67extern struct npf_rule_list npf_send_rules;
69extern struct npf_rule_list npf_recv_rules;
71extern struct npf_rule_list npf_local_in_recv_rules;
73extern struct npf_rule_list npf_ipv4_recv_rules;
75extern struct npf_rule_list npf_ipv6_recv_rules;
76
83void npf_insert_rule(struct npf_rule_list *rules, struct npf_rule *rule);
84
91void npf_append_rule(struct npf_rule_list *rules, struct npf_rule *rule);
92
100bool npf_remove_rule(struct npf_rule_list *rules, struct npf_rule *rule);
101
108bool npf_remove_all_rules(struct npf_rule_list *rules);
109
112/* convenience shortcuts */
113#define npf_insert_send_rule(rule) npf_insert_rule(&npf_send_rules, rule)
114#define npf_insert_recv_rule(rule) npf_insert_rule(&npf_recv_rules, rule)
115#define npf_append_send_rule(rule) npf_append_rule(&npf_send_rules, rule)
116#define npf_append_recv_rule(rule) npf_append_rule(&npf_recv_rules, rule)
117#define npf_remove_send_rule(rule) npf_remove_rule(&npf_send_rules, rule)
118#define npf_remove_recv_rule(rule) npf_remove_rule(&npf_recv_rules, rule)
119#define npf_remove_all_send_rules() npf_remove_all_rules(&npf_send_rules)
120#define npf_remove_all_recv_rules() npf_remove_all_rules(&npf_recv_rules)
121
122#ifdef CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK
123#define npf_insert_local_in_recv_rule(rule) npf_insert_rule(&npf_local_in_recv_rules, rule)
124#define npf_append_local_in_recv_rule(rule) npf_append_rule(&npf_local_in_recv_rules, rule)
125#define npf_remove_local_in_recv_rule(rule) npf_remove_rule(&npf_local_in_recv_rules, rule)
126#define npf_remove_all_local_in_recv_rules() npf_remove_all_rules(&npf_local_in_recv_rules)
127#endif /* CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK */
128
129#ifdef CONFIG_NET_PKT_FILTER_IPV4_HOOK
130#define npf_insert_ipv4_recv_rule(rule) npf_insert_rule(&npf_ipv4_recv_rules, rule)
131#define npf_append_ipv4_recv_rule(rule) npf_append_rule(&npf_ipv4_recv_rules, rule)
132#define npf_remove_ipv4_recv_rule(rule) npf_remove_rule(&npf_ipv4_recv_rules, rule)
133#define npf_remove_all_ipv4_recv_rules() npf_remove_all_rules(&npf_ipv4_recv_rules)
134#endif /* CONFIG_NET_PKT_FILTER_IPV4_HOOK */
135
136#ifdef CONFIG_NET_PKT_FILTER_IPV6_HOOK
137#define npf_insert_ipv6_recv_rule(rule) npf_insert_rule(&npf_ipv6_recv_rules, rule)
138#define npf_append_ipv6_recv_rule(rule) npf_append_rule(&npf_ipv6_recv_rules, rule)
139#define npf_remove_ipv6_recv_rule(rule) npf_remove_rule(&npf_ipv6_recv_rules, rule)
140#define npf_remove_all_ipv6_recv_rules() npf_remove_all_rules(&npf_ipv6_recv_rules)
141#endif /* CONFIG_NET_PKT_FILTER_IPV6_HOOK */
142
199#define NPF_RULE(_name, _result, ...) \
200 struct npf_rule _name = { \
201 .result = (_result), \
202 .nb_tests = NUM_VA_ARGS_LESS_1(__VA_ARGS__) + 1, \
203 .tests = { FOR_EACH(Z_NPF_TEST_ADDR, (,), __VA_ARGS__) }, \
204 }
205
206#define Z_NPF_TEST_ADDR(arg) &arg.test
207
218struct npf_test_iface {
219 struct npf_test test;
220 struct net_if *iface;
221};
222
223extern npf_test_fn_t npf_iface_match;
224extern npf_test_fn_t npf_iface_unmatch;
225extern npf_test_fn_t npf_orig_iface_match;
226extern npf_test_fn_t npf_orig_iface_unmatch;
227
236#define NPF_IFACE_MATCH(_name, _iface) \
237 struct npf_test_iface _name = { \
238 .iface = (_iface), \
239 .test.fn = npf_iface_match, \
240 }
241
248#define NPF_IFACE_UNMATCH(_name, _iface) \
249 struct npf_test_iface _name = { \
250 .iface = (_iface), \
251 .test.fn = npf_iface_unmatch, \
252 }
253
260#define NPF_ORIG_IFACE_MATCH(_name, _iface) \
261 struct npf_test_iface _name = { \
262 .iface = (_iface), \
263 .test.fn = npf_orig_iface_match, \
264 }
265
272#define NPF_ORIG_IFACE_UNMATCH(_name, _iface) \
273 struct npf_test_iface _name = { \
274 .iface = (_iface), \
275 .test.fn = npf_orig_iface_unmatch, \
276 }
277
280struct npf_test_size_bounds {
281 struct npf_test test;
282 size_t min;
283 size_t max;
284};
285
286extern npf_test_fn_t npf_size_inbounds;
287
296#define NPF_SIZE_MIN(_name, _size) \
297 struct npf_test_size_bounds _name = { \
298 .min = (_size), \
299 .max = SIZE_MAX, \
300 .test.fn = npf_size_inbounds, \
301 }
302
309#define NPF_SIZE_MAX(_name, _size) \
310 struct npf_test_size_bounds _name = { \
311 .min = 0, \
312 .max = (_size), \
313 .test.fn = npf_size_inbounds, \
314 }
315
323#define NPF_SIZE_BOUNDS(_name, _min_size, _max_size) \
324 struct npf_test_size_bounds _name = { \
325 .min = (_min_size), \
326 .max = (_max_size), \
327 .test.fn = npf_size_inbounds, \
328 }
329
332struct npf_test_ip {
333 struct npf_test test;
334 uint8_t addr_family;
335 void *ipaddr;
336 uint32_t ipaddr_num;
337};
338
339extern npf_test_fn_t npf_ip_src_addr_match;
340extern npf_test_fn_t npf_ip_src_addr_unmatch;
341
356#define NPF_IP_SRC_ADDR_ALLOWLIST(_name, _ip_addr_array, _ip_addr_num, _af) \
357 struct npf_test_ip _name = { \
358 .addr_family = _af, \
359 .ipaddr = (_ip_addr_array), \
360 .ipaddr_num = _ip_addr_num, \
361 .test.fn = npf_ip_src_addr_match, \
362 }
363
376#define NPF_IP_SRC_ADDR_BLOCKLIST(_name, _ip_addr_array, _ip_addr_num, _af) \
377 struct npf_test_ip _name = { \
378 .addr_family = _af, \
379 .ipaddr = (_ip_addr_array), \
380 .ipaddr_num = _ip_addr_num, \
381 .test.fn = npf_ip_src_addr_unmatch, \
382 }
383
394struct npf_test_eth_addr {
395 struct npf_test test;
396 unsigned int nb_addresses;
397 struct net_eth_addr *addresses;
398 struct net_eth_addr mask;
399};
400
401extern npf_test_fn_t npf_eth_src_addr_match;
402extern npf_test_fn_t npf_eth_src_addr_unmatch;
403extern npf_test_fn_t npf_eth_dst_addr_match;
404extern npf_test_fn_t npf_eth_dst_addr_unmatch;
405
417#define NPF_ETH_SRC_ADDR_MATCH(_name, _addr_array) \
418 struct npf_test_eth_addr _name = { \
419 .addresses = (_addr_array), \
420 .nb_addresses = ARRAY_SIZE(_addr_array), \
421 .test.fn = npf_eth_src_addr_match, \
422 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
423 }
424
434#define NPF_ETH_SRC_ADDR_UNMATCH(_name, _addr_array) \
435 struct npf_test_eth_addr _name = { \
436 .addresses = (_addr_array), \
437 .nb_addresses = ARRAY_SIZE(_addr_array), \
438 .test.fn = npf_eth_src_addr_unmatch, \
439 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
440 }
441
451#define NPF_ETH_DST_ADDR_MATCH(_name, _addr_array) \
452 struct npf_test_eth_addr _name = { \
453 .addresses = (_addr_array), \
454 .nb_addresses = ARRAY_SIZE(_addr_array), \
455 .test.fn = npf_eth_dst_addr_match, \
456 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
457 }
458
468#define NPF_ETH_DST_ADDR_UNMATCH(_name, _addr_array) \
469 struct npf_test_eth_addr _name = { \
470 .addresses = (_addr_array), \
471 .nb_addresses = ARRAY_SIZE(_addr_array), \
472 .test.fn = npf_eth_dst_addr_unmatch, \
473 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
474 }
475
486#define NPF_ETH_SRC_ADDR_MASK_MATCH(_name, _addr_array, ...) \
487 struct npf_test_eth_addr _name = { \
488 .addresses = (_addr_array), \
489 .nb_addresses = ARRAY_SIZE(_addr_array), \
490 .mask.addr = { __VA_ARGS__ }, \
491 .test.fn = npf_eth_src_addr_match, \
492 }
493
504#define NPF_ETH_DST_ADDR_MASK_MATCH(_name, _addr_array, ...) \
505 struct npf_test_eth_addr _name = { \
506 .addresses = (_addr_array), \
507 .nb_addresses = ARRAY_SIZE(_addr_array), \
508 .mask.addr = { __VA_ARGS__ }, \
509 .test.fn = npf_eth_dst_addr_match, \
510 }
511
514struct npf_test_eth_type {
515 struct npf_test test;
516 uint16_t type; /* type in network order */
517};
518
519extern npf_test_fn_t npf_eth_type_match;
520extern npf_test_fn_t npf_eth_type_unmatch;
521
530#define NPF_ETH_TYPE_MATCH(_name, _type) \
531 struct npf_test_eth_type _name = { \
532 .type = htons(_type), \
533 .test.fn = npf_eth_type_match, \
534 }
535
542#define NPF_ETH_TYPE_UNMATCH(_name, _type) \
543 struct npf_test_eth_type _name = { \
544 .type = htons(_type), \
545 .test.fn = npf_eth_type_unmatch, \
546 }
547
550#ifdef __cplusplus
551}
552#endif
553
554#endif /* ZEPHYR_INCLUDE_NET_PKT_FILTER_H_ */
ethernet.h
Ethernet.
net_verdict
net_verdict
Net Verdict.
Definition: net_core.h:100
npf_insert_rule
void npf_insert_rule(struct npf_rule_list *rules, struct npf_rule *rule)
Insert a rule at the front of given rule list.
npf_remove_rule
bool npf_remove_rule(struct npf_rule_list *rules, struct npf_rule *rule)
Remove a rule from the given rule list.
npf_remove_all_rules
bool npf_remove_all_rules(struct npf_rule_list *rules)
Remove all rules from the given rule list.
npf_local_in_recv_rules
struct npf_rule_list npf_local_in_recv_rules
rule list applied for local incoming packets
npf_send_rules
struct npf_rule_list npf_send_rules
rule list applied to outgoing packets
npf_default_drop
struct npf_rule npf_default_drop
Default rule list termination for rejecting a packet.
npf_recv_rules
struct npf_rule_list npf_recv_rules
rule list applied to incoming packets
npf_default_ok
struct npf_rule npf_default_ok
Default rule list termination for accepting a packet.
npf_ipv6_recv_rules
struct npf_rule_list npf_ipv6_recv_rules
rule list applied for IPv6 incoming packets
npf_ipv4_recv_rules
struct npf_rule_list npf_ipv4_recv_rules
rule list applied for IPv4 incoming packets
npf_append_rule
void npf_append_rule(struct npf_rule_list *rules, struct npf_rule *rule)
Append a rule at the end of given rule list.
sys_slist_t
struct _slist sys_slist_t
Single-linked list structure.
Definition: slist.h:49
sys_snode_t
struct _snode sys_snode_t
Single-linked list node structure.
Definition: slist.h:39
net_core.h
Network core definitions.
bool
#define bool
Definition: stdbool.h:13
uint32_t
__UINT32_TYPE__ uint32_t
Definition: stdint.h:90
uint8_t
__UINT8_TYPE__ uint8_t
Definition: stdint.h:88
uint16_t
__UINT16_TYPE__ uint16_t
Definition: stdint.h:89
k_spinlock
Kernel Spin Lock.
Definition: spinlock.h:45
net_eth_addr
Ethernet address.
Definition: ethernet.h:51
net_if
Network Interface structure.
Definition: net_if.h:678
net_pkt
Network packet.
Definition: net_pkt.h:67
npf_rule_list
rule set for a given test location
Definition: net_pkt_filter.h:61
npf_rule_list::rule_head
sys_slist_t rule_head
List head.
Definition: net_pkt_filter.h:62
npf_rule_list::lock
struct k_spinlock lock
Lock protecting the list access.
Definition: net_pkt_filter.h:63
npf_rule
filter rule structure
Definition: net_pkt_filter.h:48
npf_rule::nb_tests
uint32_t nb_tests
number of tests for this rule
Definition: net_pkt_filter.h:51
npf_rule::tests
struct npf_test * tests[]
pointers to npf_test instances
Definition: net_pkt_filter.h:52
npf_rule::result
enum net_verdict result
result if all tests pass
Definition: net_pkt_filter.h:50
npf_rule::node
sys_snode_t node
Slist rule list node.
Definition: net_pkt_filter.h:49
npf_test
common filter test structure to be embedded into larger structures
Definition: net_pkt_filter.h:43
npf_test::fn
npf_test_fn_t * fn
packet condition test function
Definition: net_pkt_filter.h:44